Techniques
Sample rules
Github Push Protection Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
Detection logic
condition: selection
selection:
action:
- business_secret_scanning_custom_pattern_push_protection.disabled
- business_secret_scanning_push_protection.disable
- business_secret_scanning_push_protection.disabled_for_new_repos
- org.secret_scanning_custom_pattern_push_protection_disabled
- org.secret_scanning_push_protection_disable
- org.secret_scanning_push_protection_new_repos_disable
- repository_secret_scanning_custom_pattern_push_protection.disabled
Github Push Protection Bypass Detected
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when a user bypasses the push protection on a secret detected by secret scanning.
Detection logic
condition: selection
selection:
action|contains: secret_scanning_push_protection.bypass
Github Fork Private Repositories Setting Enabled/Cleared
- source: sigma
- technicques:
- t1020
- t1537
Description
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
Detection logic
condition: selection
selection:
action:
- private_repository_forking.clear
- private_repository_forking.enable
Github Secret Scanning Feature Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects if the secret scanning feature is disabled for an enterprise or repository.
Detection logic
condition: selection
selection:
action:
- business_secret_scanning.disable
- business_secret_scanning.disabled_for_new_repos
- repository_secret_scanning.disable
- secret_scanning_new_repos.disable
- secret_scanning.disable
Github SSH Certificate Configuration Changed
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detects when changes are made to the SSH certificate configuration of the organization.
Detection logic
condition: selection
selection:
action:
- ssh_certificate_authority.create
- ssh_certificate_requirement.disable
Github Repository/Organization Transferred
- source: sigma
- technicques:
- t1020
- t1537
Description
Detects when a repository or an organization is being transferred to another location.
Detection logic
condition: selection
selection:
action:
- migration.create
- org.transfer_outgoing
- org.transfer
- repo.transfer_outgoing